CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Active Exploitation of Citrix NetScaler CVE-2025-6543 in Dutch Critical Sectors

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation of the critical Citrix NetScaler CVE-2025-6543 vulnerability in several critical organizations within the Netherlands. The flaw, which allows unintended control flow and denial-of-service (DoS), has been exploited since May 2025. A recent coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure used tens of thousands of residential proxies to discover login panels between January 28 and February 2, 2026. The activity involved 63,000 distinct IPs launching 111,834 sessions, with 79% of the traffic aimed at Citrix Gateway honeypots. Investigations are ongoing to determine the full extent of the impact. The exploitation involved the use of web shells for remote access, and attackers attempted to erase traces of their activities. Organizations are advised to apply the latest updates, terminate active sessions, and run a provided shell script to hunt for indicators of compromise.

Timeline

  1. 03.02.2026 22:25 1 articles · 4h ago

    Coordinated Reconnaissance Campaign Using Residential Proxies

    A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure used tens of thousands of residential proxies to discover login panels between January 28 and February 2, 2026. The activity involved 63,000 distinct IPs launching 111,834 sessions, with 79% of the traffic aimed at Citrix Gateway honeypots. The campaign targeted specific URLs to identify exposed Citrix login panels and enumerate Citrix versions, indicating a sophisticated and organized effort.

    Show sources
    Open in new tab
  2. 12.08.2025 11:36 2 articles · 5mo ago

    Active Exploitation of Citrix NetScaler CVE-2025-6543 Confirmed in Dutch Critical Sectors

    The Dutch NCSC-NL has confirmed active exploitation of CVE-2025-6543 in critical sectors within the Netherlands. The vulnerability has been exploited since May 2025, with web shells used for remote access. The exploitation was discovered on July 16, 2025. Organizations are advised to apply patches, terminate active sessions, and use a provided shell script to detect indicators of compromise.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

HexStrike AI weaponized to exploit Citrix vulnerabilities

Threat actors have begun using HexStrike AI, an AI-driven security tool, to exploit recently disclosed Citrix vulnerabilities. HexStrike AI, designed for authorized red teaming and bug bounty hunting, has been repurposed to automate the exploitation of security flaws. This development highlights the rapid weaponization of AI tools by malicious actors, significantly reducing the time between vulnerability disclosure and exploitation. The exploitation attempts target three Citrix vulnerabilities disclosed last week. Threat actors are using HexStrike AI to identify and exploit vulnerable NetScaler instances, which are then offered for sale on dark web forums. This trend underscores the growing threat of AI-powered cyberattacks and the need for robust defensive measures. CheckPoint Research observed significant chatter on the dark web around HexStrike-AI, associated with the rapid weaponization of newly disclosed Citrix vulnerabilities, including CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Nearly 8,000 endpoints remain vulnerable to CVE-2025-7775 as of September 2, 2025, down from 28,000 the previous week. CheckPoint recommends defenders focus on early warning through threat intelligence, AI-driven defenses, and adaptive detection.

Open in new tab

FreePBX Zero-Day Exploited in the Wild, Emergency Patch Released

A zero-day vulnerability in FreePBX (CVE-2025-57819) is actively exploited in the wild. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. FreePBX versions 15, 16, and 17 are affected. The exploit has been used since at least August 21, 2025, targeting systems with inadequate IP filtering or access control lists (ACLs). Sangoma has released an emergency patch and indicators of compromise (IOCs) to help administrators detect exploitation. Users are advised to upgrade, restrict public access to the administrator control panel, and check for a known issue in the v17 'framework' module that may prevent automated update notification emails. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by September 19, 2025.

Open in new tab

Multiple vulnerabilities in Citrix and Git added to CISA KEV catalog

CISA has added multiple vulnerabilities to its KEV catalog due to active exploitation. The flaws affect Citrix Session Recording, Git, and Citrix NetScaler ADC and NetScaler Gateway. The Citrix Session Recording vulnerabilities were patched in November 2024, the Git flaw was addressed in July 2025, and the NetScaler vulnerabilities were patched in August 2025. Federal agencies must apply mitigations by September 15, 2025, for the earlier vulnerabilities and within 48 hours for the NetScaler vulnerabilities. The vulnerabilities are CVE-2024-8068, CVE-2024-8069, CVE-2025-48384, CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. The first two affect Citrix Session Recording, the third affects Git, and the last three affect Citrix NetScaler ADC and NetScaler Gateway. CVE-2025-48384 is an arbitrary file write vulnerability in Git due to inconsistent handling of carriage return characters in configuration files. The vulnerability affects macOS and Linux systems, with Windows systems being immune due to differences in control character usage. The flaw was resolved in Git versions 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. The vulnerability impacts software developers using Git on workstations and CI/CD build systems. CVE-2025-7775 is a memory overflow vulnerability leading to remote code execution and/or denial-of-service. CVE-2025-7776 is a memory overflow vulnerability leading to unpredictable behavior and denial-of-service. CVE-2025-8424 is an improper access control vulnerability in the NetScaler Management Interface. CVE-2025-7775 has been actively exploited in the wild and was added to the CISA KEV catalog on August 26, 2025, requiring federal agencies to remediate within 48 hours. The vulnerabilities affect both supported and unsupported, end-of-life versions of Citrix NetScaler ADC and NetScaler Gateway. Nearly 20% of NetScaler assets identified are on unsupported versions, primarily in North America and the APAC region. The vulnerabilities affect similar components in NetScaler ADC and NetScaler Gateway as the CitrixBleed and CitrixBleed2 vulnerabilities.

Open in new tab

N-able N-central vulnerabilities exploited in the wild

Over 800 N-able N-central servers remain unpatched against two critical security flaws, CVE-2025-8875 and CVE-2025-8876, which have been actively exploited in the wild. These vulnerabilities allow for command execution and command injection, respectively. The issues have been addressed in N-central versions 2025.3.1 and 2024.6 HF2, released on August 13, 2025. N-able has urged customers to enable multi-factor authentication (MFA) for admin accounts to mitigate potential risks. The exploitation of these vulnerabilities highlights the importance of timely patching and robust security measures in managing remote monitoring and management (RMM) systems. The active exploitation in the wild underscores the need for vigilance and proactive security practices among cybersecurity professionals. CISA has added the flaws to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within one week.

Open in new tab